Excluding stat syscall logging for specific path
Vincas Dargis
vindrg at gmail.com
Fri Apr 29 17:56:26 UTC 2016
Hi,
When playing/learning with auditd, I wanted to log events when apache fails to access file.
Here's the rules I used in Debian Wheezy (same on Jessie and and current latest Testing):
-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
/var/www/server-status file is non-existant, it's just alias for accessing mod_status information (
http://.../server-status path is accessed by munin regularly) so I wanted to minimise noise by that exit,never rule.
But I can't get it work.
I have more in-depth post in Debian forums [1] if that helps, but in short, should this work in general?
Thanks!
[1] http://forums.debian.net/viewtopic.php?f=5&t=128092
More information about the Linux-audit
mailing list